From it’s inception, the Health Information Technology for Economic and Clinical Health Act (or the HITECH Act) was intended to further enforce many rules within the Health Insurance Portability and Accountability Act (HIPAA). As such, understanding the HIPAA-HITECH relationship is an important task for healthcare officials.

The HITECH Act changed the standards HHS uses to evaluate hospitals, expanded the pool of organizations that must comply with those standards and bolstered the HHS Office for Civil Rights’ tools of enforcement.

Indeed, when HHS first announced HITECH, HIPAA enforcement policies were discussed extensively.

“The Department’s implementation of these HITECH Act enforcement provisions will strengthen the HIPAA protections and rights related to an individual’s health information,” then-OCR Director Georgina Verdugo said in a 2009 press release implementing the HITECH Act interim final rule. “Such heightened vigilance will give consumers greater confidence in the privacy and security of their health information and in the industry’s use of health information technology.”

The HITECH Act’s high-level purpose is “to promote the adoption and meaningful use of health information technology.” In that quest to push hospitals into the digital world, HITECH also made HIPAA more relevant and consequential to a much larger pool of people within the healthcare community.

Below we outline two of the most direct HIPAA-HITECH intersections to help readers wrap their heads around these complex laws (and avoid the costly penalties that can come with any confusion).

HITECH Broadens HIPAA Coverage

The HITECH Act made HIPAA relevant to a whole new class of organizations, with Subtitle D extending portions of HIPAA’s Privacy and Security Provisions to a broader class of “business associates.”

Previously, HIPAA defined a business associate as “a person who performs functions or activities on behalf of, or certain services for, a covered entity that involve the use or disclosure of protected health information.”

People who offer personal health records to others on behalf of a covered entity

People who provide data transmission services involving PHI to a covered entity AND require routine access to PHI

“Subcontractors” that create, receive, maintain or transmit PHI on behalf of a business associate (thus subcontractors are anyone a business associate has delegated a function, activity or service to where that activity involves PHI)

HITECH did not revoke HIPAA exceptions to the business associate standard (outlined in HIPAA Sections 164.308(b)(2) and 164.502(e)(1)(ii)).

HITECH Categorizes HIPAA Violations, Tiers HIPAA Fines

Before the HITECH Act was enacted in 2009, the HHS’ Secretary was unable to impose penalties of more than $100 for each HIPAA violation or $25,000 for all HIPAA violations of the same type.

Prior to HITECH, HIPAA also allowed a covered entity to avoid a penalty if it could demonstrate that it didn’t know it was failing to comply with HIPAA.

HITECH Section 1176(a) created categories of HIPAA penalties meant to distinguish between the nature and extent of different violations and the harm they cause patients.

There are now three broad categories of HIPAA violations that correspond with different civil penalties. We have included a visual summary of these fines from the 2009 HITECH Interim Final Rule below:

These fines are outlined in more detail below:

If a HIPAA violation occurs in which the entity didn’t know and by exercising reasonable diligence couldn’t have known that a person violated a HIPAA provision, it will pay at least $100 for each such violation (and not exceeding $25,000 per calendar year), but not more than $50,000 for each violation (and not exceeding $1.5 million per calendar year).

In the case of a HIPAA violation that’s due to reasonable cause (and not willful neglect), the entity will pay at least $1,000 for each violation but not more than $100,000 per calendar year. Reasonable cause is defined as “an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect.’’

In the case of violations due to willful neglect, there are two tiers of penalties. If the violation is corrected, the penalty is at least $10,000 for each HIPAA violation (and cannot exceed $100,000 per calendar year), but not more than $50,000 per HIPAA violation (and not more than $1.5 million per calendar year). If the violation is not corrected, then the penalty is at least $50,000 for each HIPAA violation (and not more than $1.5 million per calendar year). The HITECH Act stipulates further that “In determining the amount of a penalty under this section for a violation, the Secretary shall base such determination on the nature and extent of the violation and the nature and extent of the harm resulting from such violation.”

Examining The HIPAA-HITECH Connection Further

There are of course many other ways the HIPAA-HITECH worlds overlap. Both HIPAA and HITECH are such sweeping laws that they often address similar areas, particularly around electronic medical records, their “meaningful use” and PHI.

Officials in the healthcare space need all the help they can get to understand these regulations completely. Campus Safety is happy to serve as a resource!

Editor’s note: Information in Campus Safety is intended to help readers understand complex regulatory landscapes but should not be interpreted as official guidance. Refer to the text of the actual laws for direct government instruction.

About the Author

Zach Winn is a journalist living in the Boston area. He was previously a reporter for Wicked Local and graduated from Keene State College in 2014, earning a Bachelor’s Degree in journalism and minoring in political science.

Read More Articles Like This… With A FREE Subscription

Campus Safety magazine is another great resource for public safety, security and emergency management professionals. It covers all aspects of campus safety, including access control, video surveillance, mass notification and security staff practices. Whether you work in K-12, higher ed, a hospital or corporation, Campus Safety magazine is here to help you do your job better!

I mean that can be done the subsequent: setup an online form
getting your client’s name, email and what product he wants to buy.
Being the 1st time, you will notice a window
with the stipulations of service. Flexible return policy: Many times a woman has a
second opinion and you ought to respect this nature.

Recommended For You

This presentation will detail security sensitive areas common to most healthcare facilities and the challenges faced when a public health emergency occurs resulting in a sudden influx of people requiring emergency treatment, also known as a patient surge event.

We’ve put together this guide to help you improve communication with your many stakeholders, including students, faculty and staff, families, media, alumni, governing board, community members and others.